Initial nmap shows two ports open
full port scan has the same results
Port 22
22/tcp open ssh syn-ack OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
Port 80
80/tcp open http syn-ack Apache httpd 2.4.41
| http-ls: Volume /
| SIZE TIME FILENAME
| - 2021-03-17 17:46 grav-admin/
|_
|_http-title: Index of /
| http-methods:
|_ Supported Methods: GET POST OPTIONS HEAD
|_http-server-header: Apache/2.4.41 (Ubuntu)
Service Info: Host: 127.0.0.1; OS: Linux; CPE: cpe:/o:linux:linux_kernel
It uses gravcms the version is still unknown to me.
There is a way to add a new menu item by adding a new folder to the locations user/pages/01.home
We can add a new page by creating a new folder like 02.my page
In this folder we can add a new default.md page which add a new menu item.
searchsploit
The searchsploit results shows two exploits
GravCMS 1.10.7 - Unauthenticated Arbitrary File Write (Metasploit) php/webapps/49788.rb
GravCMS 1.10.7 - Arbitrary YAML Write/Update (Unauthenticated) (2) php/webapps/49973.py
The second exploit is a python script I followed the steps shown in the exploit itself to try to get the initial shell.
The exploit didn”t worked at the moment.
trying the first exploit with metasploit and it worked